I have now attended 13 of the last 18 RSA Conferences (see some of my comments for 2016, 2015, and 2014). Before there were RSA conferences, there were the Joint National Computer Security Conferences, and I went to those, too. I’ve been going to these conferences for about 30 years now.

As I’ve noted from previous years, the deep content simply isn’t here. I no longer attend to learn about anything new and innovative — if I encounter such a thing, I view it as a pleasant surprise. Instead, this is basically a time and place where I can catch up with many friends and former students, see some industry trends, and maybe score a few new T-shirts. It also is a good intro to my spring workout schedule — I do about 20 miles of walking over 5 days, and I don’t eat many full meals.

Here are some of my random takes on this year’s conference:

The Program

• The program is far too full, with all sorts of concurrent workshops and sessions. Most of them are simply people spouting obvious maxims and recounting basics as seen through the lens of the company they represent. It is difficult to pick out ahead of time the ones that aren’t really a waste of time if you know something about the field already.
• Major talks seem to fall into two categories: executives speaking in slots their companies paid for, and “celebrities” who end up speaking nearly every year. Some of the latter are quite talented, but there is a déjà vu element at play.
• Most of what is presented in sessions would not be a surprise to my students (at least, not the ones who stayed awake in class). I ran into about 15 former students here, and some basically repeated that to me. Apparently, there is a demand for being told unsurprising, basic information at conferences.

The Exhibitors

The Moscone Center was packed again. It took well over 2 days to walk all the booths, asking questions at some and skipping others. Overall, I was not impressed.

• Once again it seemed that about 20% of the booths were new companies we had not seen before…and may not see again. For many new starts, the VC money is spent to create a booth here, and if the company doesn’t catch a certain level of notoriety (and sales), it may not exist a full year.
• Many more non-US companies were exhibiting here this year. I recognized players from the UK, Canada, China, Taiwan, Germany, Korea, and the Netherlands.
• The consolidation trend is more obvious: M&A activity has been integrating smaller companies into bigger players to provide more of a “full suite” solution to customers. Bigger companies tend not to take risks to innovate internally anymore. Instead, they let small companies do the innovation, and if they survive, they get gobbled up.
• No apparent buzzword trend this year. Big data and threat intelligence were prominent a year ago. I was afraid that this year I would be overwhelmed with some combination of “blockchain,” “AI,” and “data science.” Thankfully, that didn’t happen. Maybe next year?
• Over half the booths had no words or diagrams on the walls to indicate what the company actually did or why I would want to stop to talk to the people there. A majority made claims such as “leader,” “complete,” “new” and other such adjectives that were clearly false or unverifiable.
• Conference management has been good about keeping the vendors from employing “booth babes” (see my links to the 2014/2015 conferences, above). To bring people into the booths, the leading contenders seemed to be participatory video games, contests to win drones, and people in white lab coats. One vendor was even raffling off a car. If the companies did a better job conveying what they were doing, perhaps they wouldn’t need these gimmicks?
• Sideshow-style 15 minute, loud presentations in big booths were more prevalent — and still obnoxious. Several of these presented a traffic hazard when trying to walk by them.
• At some locations the personnel were especially obnoxious about trying to scan every badge of every person even walking in the aisle. Most were polite, however, and a few were even friendly. I enjoyed talking with many people.
• Socks seem to have replaced T-shirts as the predominant clothing giveaway. There were still some good shirts to be obtained, however. One vendor rep was joking that next year it will be branded underwear.
• I got the sense budgets were leaner at many companies — fewer people, fewer giveaways.
• I noted two companies had commitments to donate to non-profits when people visited their booths: Tripwire and Tinfoil Security. Kudos to them. I’d definitely rather have that than a fidget spinner or a box of mints.

More generally

I had a few people recognize me and say hello. That happens less each year. I am not so vain that I expect people to recognize me, but I do feel somewhat the dinosaur to be wandering the aisles when people don’t know my name even with prompting. My wife (who wandered the floor with me) found it particularly amusing when they tried to argue security concepts with me, or teach me history. One fun example was when a couple of people tried to explain the history and operation of the Internet Worm to me. Another fun time was had at a booth when a sales guy tried to dismiss my comments about his product with my “The only secure computer is one encased in concrete…” meme without knowing it was my original quote or who I was; I first uttered that years before he was born! (See #8 here.) He was annoyed I started laughing.

Despite GDPR coming into force in the EU (and the rest of the world, for large companies), privacy was hardly mentioned at any booth. Apparently, that isn’t of interest to this crowd.

There were some really questionable decorations. One booth was highly illuminated in bright green light. It actually made me feel a little nauseous; what were they thinking? Others had bright flashing lights (distracting, annoying, and probably a trigger for people with migraines or epilepsy). Word salad was the norm on too many booths. Few appeared to be accessible to the mobility impaired, although I only saw 3 such people in the floor in 3 days.

I saw a few vendors who effectively claimed they supported customers keeping longer audit logs that could be examined to find evidence once a breach was discovered. Think about that — the assumption is that assembled products can’t protect an enterprise well enough, or respond quickly, so that a months-long record is needed to find out when and why the failure occurred. Furthermore, that idea is normalized enough that there are companies that can sell products & services around it. Crazy.

There seem to be more advertised products/services around metrics. They don’t agree with each other on what they should be measuring or how they do it, but they claim to measure “security.” In many cases, I conjecture throwing dice would be cheaper and about as useful.

I was disappointed by the expertise and horizons of some of these people. I talked to the “CTO” at more than a half-dozen of the vendors, and their knowledge of some basic terms and history seems to reach back only about 5-6 years. This contributed to the claims of “brand new!” for several of them — they had no idea what was done before. (This is a problem rampant in academia, too — if something occurred before Google was able to index it, it never happened, apparently.) After failing to find any reasonably-aware person in my first half-dozen attempts, I stopped looking.

Sadly, the lack of foundations for the people at most of the booths mirrored the lack of a solid foundation for the products. There are some good, useful products and services present on the market. But the vast majority are intended to apply bandaids (or another layer of virtualization) on top of broken software and hardware that was never adequately designed for security. Each time one of those bandaids fails, another company springs up to slap another on over the top. That then leads to acquisition and integration into security suites. No one is really attacking the poor underlying assumptions and broken architectures. (See my last two blog posts here for more on this: here and here.) This is related to why I don’t submit proposals to talk at the conference — I tried a few years ago and the message conveyed to me was that it was out of step with what the sponsors wanted presented. The industry is primarily based on selling the illusion that vendors' products can — in the right combination and with enough money spent — completely protect target systems. Someone pointing out that this is fundamentally flawed is not a welcome addition. I get that a lot — it is probably why I don’t get asked to be a company advisor, either. People would rather believe they can find a unicorn to grant them immortality rather than hear the dreary truth that they will die someday, and probably sooner than they expect. Instead of hearing that, let there be bread and circuses!

I am giving serious thought to this being my last RSA Conference — the expense is getting to be too great for value received. The years have accumulated and I find myself increasingly out of step here. I want to do what is right — safe, secure, ensuring privacy — but so much of this industry is built around the idea that “right” means creating a startup and retiring rich in 5 years after an M&A event. I don’t believe that having piles of money is how to measure what is right. I will never retire rich; actually, because I will never be rich, I probably can’t afford to retire! I am also saddened by the lack of even basic awareness of what so many people worked so hard to accomplish as foundations for others to build on. We have a rich history as a field, and a great deal of knowledge. It is sad to see that so much of it is forgotten and ignored.

Oh, and I wish those damn kids would stay off my lawn.

A recent visit and conversation with Steve Crocker prompted me to think about how little the current security landscape has really changed from the past. I started looking through some of my archives, and that was what prompted my recent post here: Things are not getting better.

I posted that and it generated a fair bit of comment over on LinkedIn, which then led to me making some comments about how the annual RSA conference doesn’t reflect some of the real problems I worry about, and wondering about attendance. That, in turn, led me to remember a presentation I started giving about 6 years ago (when I was still invited to give talks at various places). It needed one editorial correction, and it is still valid today. I think it outlines some of the current problematic aspects of security in the commercial space, and security research. Here it is: Rethinking Security. This is a set of presentation slides without speaker notes or an audio recording of me presenting them, but I think you’ll get the ideas from it.

Coincident to this, an essay I wrote in conjunction with Steven Furnell, of the University of Plymouth in the UK, appeared in the British Computing Society’s online list. It describes how some things we’ve known about for 30 years are still problems in deployed security. Here’s that column: The Morris worm at 30.

Steve and I are thinking about putting something together to provide an overview of our 80+ years combined experience with security and privacy observations. As I delve more into my archives, I may be reposting more here. You may also be interested in some videos of some of my past talks, that I wrote about in this blog last year.

In the meantime, continue to build connected home thermostats and light bulbs that spy on the residents, and network-connected shoes that fail in ways preventing owners from being able to wear them, among other abominations. I'll be here, living in the past, trying to warn you.

---

PS. The 20th CERIAS Symposium is approaching! Consider attending. More details are online.

I was reminded this morning that nearly 10 years ago testimony I gave before a US Senate committee about cybersecurity. Sadly, I think things are worse and we are continuing on the same self-destructive path.

Here is a copy of that testimony.

Anybody who thinks tools and patching are the solutions doesn't understand the problems.

Now that the government has decreed our national focus should be on quantum and artificial intelligence, things are likely to get worse even faster -- those technologies will introduce new vulnerabilities faster than they may fix any, especially as vendors seek to rush items to market.

CERIAS continues to be a bright spot, but there is so much more we (at CERIAS, and more globally) could do if we had the resources.

In early April is the 20th CERIAS Symposium. I invite you to attend to see what Purdue's continuing efforts are accomplishing, and especially to meet some of our bright and motivated students, and connect with some of our tremendously talented faculty and staff.

The Cyber Security Hall of Fame was on hiatus while stable funding was secured. That has happened, and nominations are open for the class of 2019. Nominations are only open until February 15.

Current honorees are listed at the Cybersecurity Hall of Fame site. .

Help by nominating qualified candidates! See the instruction site for details of nominations..

Help spread the word!.

I created a YouTube channel a while back, and began uploading my videos and linking in videos of me that were online. Yes, it’s a dedicated Spaf channel! However, I’m not on camera eating Tide pods, or doing odd skateboard stunts. This is a set of videos with my research and views over the years on information (cyber) security, research, education, and policies.

There are two playlists under the channel — one for interviews that people have conducted with me over the years, and the other being various conference and seminar talks.

One of the seminar talks was one I did at Bellcore on the Internet Worm — about 6 weeks after it occurred (yes, that’s 1988)! Many of my observations and recommendations in that talk seem remarkably current — which I don’t think is necessarily a good observation about how current practice has (not) evolved.

My most recent talk/video is a redo of my keynote address at the 2017 CISSE conference held in June, 2017 in Las Vegas. The talk specifically addresses what I see as the needs in current information security education. CISSE was unable to record it at the time, so I redid it for posterity based on the speaker notes. It only runs about 35 minutes long (there were no introductions or Q&A to field) so it is a quicker watch than being at the conference!

I think there are some other goodies in all of those videos, including views of my bow ties over the years, plus some of my predictions (most of which seem to have been pretty good). However, I am putting these out without having carefully reviewed them — there may be some embarrassing goofs among the (few) pearls of wisdom. It is almost certain that many things changed away from the operational environment that existed at the time I gave some of these talks, so I’m sure some comments will appear “quaint” in retrospect. However, I decided that I would share what I could because someone, somewhere, might find these of value.

If you know of a recording I don’t have linked in to one of the lists, please let me know.

Comments appreciated. Give it a look!